data-breach recommendations for CISOs

Navigating personal liability: post data-breach recommendations for CISOs

/in , /by

Navigating personal liability: post data-breach recommendations for CISOs

Insights

data-breach recommendations for CISOs
Read More

CSO Online

 

Navigating personal liability: post data-breach recommendations for CISOs

 

April 29, 2024

 

By Daniel B. Garrie, Esq. and Richard A Kramer

CISOs can avoid being liable for data breaches by following legal advice, communicating effectively with internal and external stakeholders, and demonstrating commitment to avoid future incidents.

The key to minimize personal liability for CSOs and CISOs after a data breach is to act responsibly and reasonably. The current state of the law is that those involved in an organization that is threatened or affected by a data breach are expected to react reasonably under the circumstances. To meet this standard, one should engage and follow legal advice, communicate effectively, and demonstrate a commitment to addressing the breach and preventing future incidents. By following these recommendations, CSOs, and CISOs can navigate the challenging terrain of a data breach while minimizing their own risk of personal liability.

A data breach can have significant financial, reputational, legal, and emotional implications for an organization, its personnel, clients, and a wide range of others. When a data occurs, affected persons become concerned with what may have happened and how it could negatively impact them. Not only is there a real threat to their financial well-being, but there is also a perceived disquieting attack on personal privacy. And beyond those reactions, government regulators as well as politicians often spring into action for a wide range of purposes.

For chief security officers (CSOs) and chief information security officers (CISOs), a breach presents unique challenges, including potential personal liability. While it is rare, personal liability for CSOs and CISOs is not entirely out of the question. In cases where it can be demonstrated that the CSO or CISO acted negligently or failed in their duties, they could potentially be held personally liable. This could result in financial penalties, disqualification from holding director or officer positions, and, in extreme cases, criminal charges.

To read the full article, go to CSO Online

Arbitration for Asset Purchase Agreement Disputes

Arbitration as an Effective Mechanism for Resolving Asset Purchase Agreement Disputes

/in /by

Arbitration as an Effective Mechanism for Resolving Asset Purchase Agreement Disputes

Insights

Arbitration for Asset Purchase Agreement Disputes
Read More

Daily Journal

 

Arbitration as an Effective Mechanism for Resolving Asset Purchase Agreement Disputes

 

April 19, 2024

 

By Daniel B. Garrie, Esq.

In the realm of commercial transactions, asset purchase agreements (APAs) are a cornerstone, facilitating the transfer of assets from one entity to another. These agreements, while meticulously crafted, are not immune to disputes. Arbitration has emerged as a pragmatic and efficient method for resolving such disagreements, ensuring a harmonious transition of assets while preserving the business relationship between the parties involved. 

Understanding Asset Purchase Agreements 

An asset purchase agreement is a legal document outlining the terms and conditions pertaining to the purchase and sale of a company’s assets. These assets may include tangible properties like machinery, inventory, and real estate, or intangible assets such as intellectual property, customer lists, and goodwill. APAs are preferred over stock purchase agreements when buyers wish to acquire specific assets and avoid inherent liabilities. 

APAs are structured to include the identification of assets, the purchase price, representations and warranties, covenants, conditions to closing, indemnifications, and dispute resolution mechanisms. The precise nature of these agreements is essential to both parties, as it governs the transfer of assets and helps in mitigating risks associated with the transaction.

Potential Disputes in Asset Purchase Agreements 

Despite the comprehensive nature of APAs, disputes are not uncommon. These disputes can arise from various aspects of the agreement. Often, disagreements occur when the seller is alleged to have misrepresented the condition, value, or attributes of the assets being sold. Disputes over the valuation of assets, especially intangibles, are also common. Other typical disputes include allegations of non-compliance with an agreement’s terms or issues arising from post-closing adjustments, which are adjustments made to the purchase price based on the actual asset valuation. APA disputes often raise highly fact specific issues that are deeply rooted in the standards and norms of the relevant industry. For this reason, it can be difficult for a trier of fact without industry specific knowledge to accurately assess the issues at play in an APA dispute. 

 

To read the full article, go to Daily Journal

Independent cybersecurity audits

Independent Cybersecurity Audits Are Powerful Tools for Boards

/in , /by

Independent Cybersecurity Audits Are Powerful Tools for Boards

Insights

Independent cybersecurity audits
Read More

Bloomberg Law

 

Independent Cybersecurity Audits Are Powerful Tools for Boards

 

March 11, 2024

 

By Daniel B. Garrie, Esq.

Board members today increasingly face personal liability for their organization’s cyber posture. This has raised the stakes of attestations and created a need to gain insight into cyber programs.

One of the most effective ways to do so is through independent cybersecurity audits. This essential component of responsible organizational governance can demonstrate proactive leadership and reveal possible blind spots. Cybersecurity audits are also necessary for compliance with regulations that hold the board and C-suite accountable for verifying the efficacy of their company’s cybersecurity program.

Recent Regulations

Growing cyber regulatory oversight is demanding dynamic evidence of compliance. The Securities and Exchange Commission’s 2023 rules on cybersecurity risk governance and public company incident disclosure require boards of directors to oversee corporate cybersecurity management and demonstrate active oversight, while facing personal liability for failures. Public reporting companies must also:

  • Disclose all material cybersecurity incidents within four business days
  • Describe process(es) used to identify, assess, and manage material risks from cybersecurity threats, and their effect on business strategy, results of operations, or financial condition
  • Describe the board’s oversight of cybersecurity risks and leadership’s role in assessing and managing material risks from cybersecurity threats

Another recent example is the New York State Department of Financial Services’ amended cybersecurity regulation, which requires covered entities to conduct independent audits of their cybersecurity programs and integrates cybersecurity into business strategy. Changes include:

  • Additional controls and requirements for more regular risk and vulnerability assessments, along with more robust incident response, business continuity, and disaster recovery planning
  • Updated notification requirements, which include reporting ransomware payments
  • Updated direction for companies to invest in at least annual training and cybersecurity awareness

To read the full article, go to Bloomberg Law

Special Masters in Social Media Litigation

Using Special Masters in Social Media Litigation to Streamline Discovery: Navigating the complexities of these cases

/in , /by

Using Special Masters in Social Media Litigation to Streamline Discovery: Navigating the complexities of these cases

Insights

Special Masters in Social Media Litigation
Read More

ALM

 

Using Special Masters in Social Media Litigation to Streamline Discovery: Navigating the complexities of these cases

 

February 21, 2024

 

By Daniel B. Garrie, Esq.

There has been an explosion of litigation in recent years related to the potentially life-threatening effects of social media usage among adolescents. Hundreds of cases have been filed in state and federal courts, many of which have been consolidated into multidistrict litigations or otherwise consolidated within state court departments. One such example in California state court is, in which the court recently overruled Snap’s demurrer on claims that Snap’s conduct in designing and implementing its social media platform, Snapchat, resulted in the foreseeable deaths of plaintiffs’ children, who overdosed on fentanyl.

Litigations involving social media can be complex and highly technical. Such cases often involve collecting and analyzing large amounts of data from social media websites and apps. This can present challenges for the lawyers and judges involved, as they may not be familiar with social media platforms and managing the unique types of data generated and stored on these platforms. Engaging a discovery special master can help streamline discovery in social media litigations to ensure that the right data is collected as efficiently as possible.

Social media repositories present unique issues for the discovery process. For instance, the repositories that hold a user’s social media data are controlled by a third party (e.g., Meta, X, Snap, etc.). Obtaining a user’s data typically requires the user to download their information using the application at issue. However, this download will only capture a snapshot of the user’s data at the time of the download. This means that any subsequent changes to a user’s social media data that occur after the download would not be captured by this snapshot.

To read the full article, go to ALM

Cybersecurity and Privacy Regulations

Small Law Firms Must Take Action and Address Cybersecurity and Privacy Regulations

/in , /by

Small Law Firms Must Take Action and Address Cybersecurity and Privacy Regulations

Insights

Cybersecurity and Privacy Regulations
Read More

ALM

 

Small Law Firms Must Take Action and Address Cybersecurity and Privacy Regulation

 

February 15, 2024

 

By Daniel Garrie, Esq., Peter A. Halprin, Esq., and Elsa Ramo, Esq.

Cybersecurity and privacy regulations have become increasingly important in recent years due to the exponential growth of technology and the internet. The legal industry, including small law firms, is not immune to these challenges. In fact, small law firms must prioritize cybersecurity and privacy regulations to protect their clients’ sensitive information and maintain their professional reputations. This article explores the reasons why small law firms need to care about cybersecurity and privacy regulations and provides recommended first steps.

Six Reasons Why Small Law Firms Should Be Concerned About Cybersecurity and Privacy Regulations

 

    1. Ethical Obligations

As legal professionals, lawyers have an ethical obligation to protect their clients’ confidential information. Rules of professional conduct across various jurisdictions emphasize the importance of maintaining client confidentiality and safeguarding client data. Failing to uphold these ethical obligations can lead to disciplinary action.

From social media posts to a third-party vendor who is managing the website to a company processing a credit card payment on behalf of the firm, the lawyer has an ethical responsibility to ensure that all parties that interface with the law firm are operating under strict confidentiality and complying to prevent the disclosure of confidential information.

    1. Legal Obligations

Small law firms may also be subject to privacy regulations, such as the California Consumer Privacy Act (CCPA). Non-compliance with these regulations can result in financially devastating consequences for small law firms.

As noted above, it is not simply a limited duty for the attorney to maintain confidentiality, but rather the attorney and law firm have a legal obligation to ensure that client information is stored in a way that protects privacy. More often than not, small law firms are paperless and store virtually all of their data electronically, so the law firm must ensure that how, where, and who is storing that data is in compliance with applicable law.

To read the full article, go to ALM

The advantages of mediating Computer Fraud and Abuse Act disputes

/in , , /by

The advantages of mediating Computer Fraud and Abuse Act disputes

Insights

Daily Journal

 

The advantages of mediating Computer Fraud and Abuse Act disputes

 

February 6, 2024

 

By Daniel Garrie, Hon. Gail A. Andler

 

The Computer Fraud and Abuse Act of 1986 (“CFAA”), codified as United States Code Title 18 Section 1030, is probably best known as the primary federal law governing cybercrime in the United States today. However, the CFAA also provides for civil remedies, which some companies have seen as an way to recover monetary damages for suffered losses from data breaches or cyberattacks that the government is either unwilling or unable to prosecute due to the explosion of cybercrime in recent years. For CFAA cases pursued as civil matters, mediation can be an effective tool for resolving disputes, saving the parties time and money in a way that gets to the heart of the technical issues.    

What is the CFAA?  

At a high level, the CFAA prohibits unauthorized access of protected computer systems and the distribution, theft, or damage of information from a computer or network. The CFAA also includes provisions prohibiting other computer related offenses such as computer espionage, trafficking in passwords, and transmitting malicious code.  

Notably, the CFAA also allows individuals to bring civil actions for violations of the CFAA. Pursuant to Section 1030(g) of the CFAA, “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”  The CFAA limits the right of a private individual to bring a civil action only where the violation: (1) modifies or impairs medical examination, diagnosis, treatment or care of a person or persons; (2) causes physical injury to any person; (3) causes a threat to public health or safety; or (4) causes “loss” to one or more persons during any one-year period aggregating at least $5,000 in value. 

This gives entities that have been the victim of cybersecurity breaches a useful tool in situations where law enforcement does not pursue the matter. There are also advantages for the plaintiff as the “preponderance of evidence” standard of civil cases is much lower than the “beyond a reasonable doubt” standard of criminal cases.

To read the full article, go to Daily Journal

Technical E-Discovery Neutrals in Litigation

Harnessing the Power of Technical E-Discovery Neutrals in Litigation

/in , /by

Harnessing the Power of Technical E-Discovery Neutrals in Litigation

Insights

Technical E-Discovery Neutrals in Litigation

New York Law Journal

 

Harnessing the Power of Technical E-Discovery Neutrals in Litigation

 

February 2, 2024

 

By Daniel Garrie, Leo M. GOrdon

 

E-discovery processes can be complex given the sheer volume and diversity of digital data, combined with the technical intricacies of data management and retrieval. This is where technical e-discovery neutrals come into play, offering their specialized expertise to manage and streamline e-discovery processes.

The digital age has significantly transformed the legal landscape, particularly in the realm of discovery. Electronic discovery (e-discovery) has emerged as a critical part of modern litigation regarding the identification, collection and production of electronically stored information (ESI). However, e-discovery processes can be complex, given the sheer volume and diversity of digital data, combined with the technical intricacies of data management and retrieval. This is where technical e-discovery neutrals come into play, offering their specialized expertise to manage and streamline e-discovery processes, potentially narrowing disputes and saving significant time and cost.

 

Role of Technical E-Discovery Neutrals

Technical e-discovery neutrals are legal professionals with expertise in both the law and technology. They work to facilitate efficient and cost-effective e-discovery processes by advising parties on technical issues, ensuring compliance with relevant legal standards, and arbitrating disputes over ESI. Their involvement can range from consultative roles to more formal appointments by courts, especially in complex litigation where the e-discovery process might be contentious or technically challenging.

 

To read the full article, go to Daily Journal

Roles of E-Discovery and Digital Forensics

Understanding the Distinct Roles of E-Discovery and Digital Forensics

/in , , /by

Understanding the Distinct Roles of E-Discovery and Digital Forensics

Insights

Roles of E-Discovery and Digital Forensics

Daily Journal

Understanding the Distinct Roles of E-Discovery and Digital Forensics

 

December 28th, 2023

 

By Daniel Garrie, Hon. Gail A. Andler

 

E-discovery and digital forensics are two distinct and nuanced concepts that are often conflated in the world of legal technology. While both fields converge in their utilization of digital data and may overlap once litigation is instituted, their applications, methodologies, and implications in legal proceedings significantly differ.

E-Discovery is by its nature employed once litigation (or arbitration, under some rules) has commenced; digital forensics implicates the prelitigation obligation of preservation, as discussed below, and perhaps other aspects of the discipline which may come into play for pre-litigation mediation or other forms of alternative dispute resolution.

Take, for example, the hypothetical situation of a key employee (“Former Employee”) leaving Business A to start a competing business, Business B. As soon as competing business enterprise Business B or Former Employee are put on notice that Business A may dispute some aspect of Former Employee’s actions in leaving Business A or engaging at Business B, Digital Forensics must come into play to identify, preserve and maintain certain electronically stored information of all concerned. Early mediation efforts may take place pre-mediation with the sides, separately or together, utilizing a digital forensics expert to review hard drives or phones to determine whether information has been accessed, downloaded or deleted. In our hypothetical, it is not until either litigation or arbitration permitting discovery commences that eDiscovery may come into play, potentially overlapping with Digital Forensics activities. Following below is a more expansive discussion of each. Understanding the roles and characteristics of these two critical facets of legal practice can aid legal professionals in managing the technical aspects of legal proceedings more efficiently and avoid costly pitfalls. This article provides an overview of the defining features of e-discovery and digital forensics and how they are used in distinct ways in the legal field.

To read the full article, go to JAMS

Instegogram threat creates liability

How the new Instegogram threat creates liability for organizations

/in /by

How the new Instegogram threat creates liability for organizations

Insights

Instegogram threat creates liability

CSO Online

How the new instegogram threat creates liability for organizations 

December 26, 2023

By Daniel Garrie, Jennifer Deutsch and Peter Halprin

Organizations might be at risk of liability for images containing malicious code they post on social media even if they were unaware of it.

Writing in 2017, one of the authors of this article noted that, “Social media networks represent the largest, most dynamic risk to organizational security and allocating liability.” Unfortunately, with the growth of social media networks since then, this threat has only increased. First identified in 2016, this risk combines digital image steganography and social media in the corporate environment. While neither steganography nor social media are new, it is novel to combine both as a tool for malware distribution.

What is Instegogram?

This scheme, known as “Instegogram,” is the use of social networks, Instagram in particular, as a threat actor’s command-and-control site. Instegogram is unique in that “once the remote system is compromised, encoded images can be posted from the command machine using Instagram’s API. The remote system will download the image, decode it, execute the encoded commands, encode the results in another image, and post back to Instagram.” Instegogram was created for academic purposes, but its potential use as part of a malware attack poses the question of who would be liable for such an attack.

Instegogram attacks could remove liability protections

Under Section 230 of the Communications Decency Act (CDA), companies that offer web-hosting services are typically shielded from liability for most content that customers or malicious users place on the websites they host. However, such protection may cease if the website controls the information content. A company that uses a social media network to create the picture or develop information would arguably control that information and thus may not be immune. That is, if a service provider is “responsible, in whole or in part, for the creation or development of the offending content,” its actions could fall outside the CDA’s protections.

To read the full article, go to CSO Online

 
AI-Assisted Legal World

Preparing Law Students For A New, AI-Assisted Legal World

/in /by

Preparing Law Students For A New, AI-Assisted Legal World

Insights

AI-Assisted Legal World

Law360

Preparing Law Students For A New, AI-Assisted Legal World

November 15th, 2023

By Daniel Garrie, Ryan Abbott and Karen Silverman

The legal profession is no stranger to change. From the invention of the printing press to the dawn of the internet, each technological revolution has reshaped how legal professionals work.

Today, another seismic shift is underway as artificial intelligence emerges as a powerful tool in the legal landscape.

A recent study from the University of Minnesota Law School highlighted this transformation, showcasing how AI — specifically, GPT-4, a large language model — aided low-performing law students in improving their exam scores on multiple-choice questions. However, with AI assistance, high-performing students saw a decline in their essay scores.[1]

The findings suggest a potential equalizing effect of AI within the legal profession, which hints at the broader implications of integrating AI in legal education.

This article will delve into the convergence of legal education and AI, exploring the methodologies to train future lawyers with AI and the myriad challenges that may ensue.

The Role of AI in Legal Education

Law schools across the globe are beginning to integrate AI into their curricula, aiming to prepare students for a future where AI plays a central role in legal practice. Here are some ways that AI can and is transforming legal education.

Personalized Learning

AI-powered adaptive learning platforms can give students a more tailored learning experience catering to their strengths and weaknesses. These platforms can suggest or generate personalized content and exercises by analyzing students’ past performance and learning preferences, improving educational outcomes.

Virtual Simulation and Scenario-Based Learning

AI can facilitate immersive and interactive learning experiences through virtual simulations and chatbots. These platforms can simulate real-world legal scenarios and provide instant feedback, allowing students to develop improved problem-solving and critical thinking skills in a controlled setting.

To read the full article, go to Law360